GDPR Cloud Migration: 12-Point Checklist

1. Pre-migration (steps 1-4)

1. Provider comparison including DPF status and EU-region availability.
2. DPA negotiation with mandatory clauses (sub-processor list, audit rights, breach notification windows).
3. Transfer Impact Assessment (TIA) for any third-country component.
4. Data Protection Impact Assessment (DPIA) for high-risk processing moving to the cloud.

2. Migration (steps 5-8)

5. Data-flow mapping and records-of-processing update.
6. Encryption at rest and in transit, with documented key management.
7. Customer-lockbox or equivalent provider-access controls activated.
8. Audit logging enabled, retention period set in line with retention concept.

3. Post-migration (steps 9-12)

9. Employee training on the new platform's privacy controls.
10. Privacy notice updated with new processor and data location.
11. Breach workflow updated with cloud-specific escalation paths.
12. Exit plan documented: data return format, restore window, deletion confirmation.

4. Provider comparison

5. Exit plan in detail

An exit plan must specify the data export format (open-source preferred: Parquet, JSON, CSV), the restore window (90 days is standard practice), and the formal deletion confirmation that must be provided by the provider. Without these clauses, recovery from a forced provider change becomes painful and slow.

Summary

Cloud migration adds four GDPR risk categories: contract gaps, transfer issues, configuration drift and lock-in. The 12-point checklist closes each at the right phase. Treat the exit plan as a first-class deliverable — it is the deliverable most often skipped and the one with the highest cost when it's missing.

View GDPR Kit →